This application requires Javascript for optimal performance.

W32/Brontok.A@mm - Released Oct 05, 2006 - Last Updated Aug 23, 2007

Detection Availability

Active DatabaseExtended Database
FortiGate
low
high
FortiClient
FortiMail N/A

Visible Symptoms

  • It drops the following files:
    • c:\Documents and Settings\User\Local Settings\Application Data\csrss.exe
    • c:\Documents and Settings\User\Local Settings\Application Data\inetinfo.exe
    • c:\Documents and Settings\User\Local Settings\Application Data\lsass.exe
    • c:\Documents and Settings\User\Local Settings\Application Data\services.exe
    • c:\Documents and Settings\User\Local Settings\Application Data\smss.exe
    • c:\Documents and Settings\User\Local Settings\Application Data\winlogon.exe
    • c:\Documents and Settings\User\Start Menu\Programs\Startup\Empty.pif
    • c:\Documents and Settings\User\Templates\WowTumpeh.com
    • c:\System\'s Setting.scr
    • c:\Windir\eksplorasi.pif
    • c:\Windir\ShellNew\bronstab.exe

    Detailed Analysis

    W32/Brontok.A@mm - 06-10-05


    More Info:

  • It drops the following files:
    • c:\Documents and Settings\User\Local Settings\Application Data\csrss.exe
    • c:\Documents and Settings\User\Local Settings\Application Data\inetinfo.exe
    • c:\Documents and Settings\User\Local Settings\Application Data\lsass.exe
    • c:\Documents and Settings\User\Local Settings\Application Data\services.exe
    • c:\Documents and Settings\User\Local Settings\Application Data\smss.exe
    • c:\Documents and Settings\User\Local Settings\Application Data\winlogon.exe
    • c:\Documents and Settings\User\Start Menu\Programs\Startup\Empty.pif
    • c:\Documents and Settings\User\Templates\WowTumpeh.com
    • c:\System\'s Setting.scr
    • c:\Windir\eksplorasi.pif
    • c:\Windir\ShellNew\bronstab.exe
  • Adds the following registry:
    • key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    • value: Bron-Spizaetus
    • data: c:\windows\ShellNew\bronstab.exe
  • Adds the following registry:
    • key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    • value: Tok-Cirrhatus
    • data: c:\Documents and Settings\User\Local Settings\Application Data\smss.exe
  • Adds the following registry:
    • key: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
    • value: Shell
    • data: Explorer.exe c:\windows\eksplorasi.pif
  • Modifies the following registry:
    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
    • value: NoFolderOptions
    • data: 1
  • Modifies the following registry:
    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced
    • value: Hidden
    • data: 0
  • Modifies the following registry:
    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced
    • value: ShowSuperHidden
    • data: 0
  • Modifies the following registry:
    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\explorer\advanced
    • value: HideFileExt
    • data: 1
  • Modifies the following registry:
    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • value: DisableRegistryTools
    • data: 1
  • Modifies the following registry:
    • key: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
    • value: DisableCMD
    • data: 0

    Recommended Action

      FortiGate Systems

    • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the 'Allow Push Update' option.

      FortiClient Systems

    • Quarantine/delete files that are detected and replace infected files with clean backup copies.


    Reference: ID - 99294